lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250610172226.1470741-13-stephen.smalley.work@gmail.com> Date: Tue, 10 Jun 2025 13:21:43 -0400 From: Stephen Smalley <stephen.smalley.work@...il.com> To: selinux@...r.kernel.org Cc: paul@...l-moore.com, omosnace@...hat.com, netdev@...r.kernel.org, Stephen Smalley <stephen.smalley.work@...il.com> Subject: [PATCH v4 12/42] selinux: exempt creation of init SELinux namespace from limits Exempt the creation of the init SELinux namespace from the maxns limit. It was already exempted from the maxnsdepth limit by virtue of only applying that check when there is a parent namespace. Otherwise, if one were to set CONFIG_SECURITY_SELINUX_MAXNS to 0, the creation of the init SELinux namespace would fail. Signed-off-by: Stephen Smalley <stephen.smalley.work@...il.com> --- security/selinux/hooks.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index eaac0ed9fcd2..dcdc8c23590e 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -7787,7 +7787,7 @@ int selinux_state_create(struct selinux_state *parent, struct selinux_state *newstate; int rc; - if (atomic_read(&selinux_nsnum) >= selinux_maxns) + if (parent && atomic_read(&selinux_nsnum) >= selinux_maxns) return -ENOSPC; if (parent && parent->depth >= selinux_maxnsdepth) -- 2.49.0
Powered by blists - more mailing lists